the “regular” grub bootloader cannot open LUKS2 encrypted volumes, but this is how the Calamares installer creates encrypted setups.
that is why the Calamares installer creates encrypted setups using LUKS1.
There would be no problem using LUKS2 with /boot/efi unencrypted,
so that the boot loader can access the initrd.
If you just go ahead and convert your LUKS1 to LUKS2 you’ll very likely not be able to boot anymore.
It’s a manual process, just like what you did to now have Limine as your boot loader, apparently.
I don’t know that one, and have only ever read about secure boot, but never actually implemented it.
I did partly manual installations with unencrypted /boot and LUKS2 encrypted / and all the rest.
Years ago already.
With Grub and systemd-boot as well.
Never used Limine - don’t know it.
You can manually convert it to LUKS2. This only changes its LUKS header format without modifying the underlying filesystem encryption.
This is probably more safe and reliable than converting old encryption to another encryption where your data is stored.
The LUKS header is NOT the data encryption.
The encryption algorithm and existing filesystem remain unchanged and compatible, as LUKS2 supports the weaker encryption algorithm (PBKDF2) from LUKS1.
If you’re worried about security in your case, consider converting from PBKDF2 to strong Argon2id.
However, be aware that a power failure during the conversion process could potentially lead to data loss.